Bug ID | 1099012 |
---|---|
Summary | BUG: unable to handle kernel paging request at 000000100000004c in put_css_set_locked |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Kernel |
Assignee | kernel-maintainers@forge.provo.novell.com |
Reporter | jslaby@suse.com |
QA Contact | qa-bugs@suse.de |
CC | mhocko@suse.com |
Found By | --- |
Blocker | --- |
While doing poweroff of a virtual machine with tumbleweed, a crash occurred:
> [ OK ] Stopped Session c1 of user root.
> BUG: unable to handle kernel paging request at 000000100000004c
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP PTI
> Modules linked in: af_packet iscsi_ibft iscsi_boot_sysfs nls_iso8859_1 nls_cp437 vfat fat snd_hda_codec_generic virtio_gpu ttm snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm drm_kms_helper drm ppdev snd_timer snd fb_sys_fops syscopyarea sysfillrect sysimgblt soundcore joydev pcspkr virtio_input virtio_balloon virtio_net parport_pc i2c_piix4 parport qemu_fw_cfg button ata_generic uhci_hcd ehci_pci ehci_hcd ata_piix usbcore virtio_scsi serio_raw floppy sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua virtio_rng
> CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.17.2-5.g33a2d86-default #1 openSUSE Tumbleweed (unreleased)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
> RIP: 0010:put_css_set_locked+0x7f/0x270
> RSP: 0000:ffffae67806dfda8 EFLAGS: 00010006
> RAX: 0000000fffffffe0 RBX: ffffa03a76ba9cc8 RCX: 0000000000000040
> RDX: ffffa03b015610c8 RSI: 0000000000000000 RDI: ffffa03a76ba9c00
> RBP: ffffa03a76ba9c08 R08: ffffa03b001b47e0 R09: 0000000000000100
> R10: ffffa03b001b4540 R11: ffffa03b001b42a0 R12: ffffa03a76ba9c00
> R13: ffffa03a76ba9d88 R14: dead000000000200 R15: dead000000000100
> FS: 0000000000000000(0000) GS:ffffa03b06880000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000100000004c CR3: 000000004f554000 CR4: 00000000000006e0
The rest of the output was overwritten unfortunately.
But the assembly is:
ffffffff8112d366: 48 8b 43 08 mov 0x8(%rbx),%rax
ffffffff8112d36a: 48 8b 13 mov (%rbx),%rdx
ffffffff8112d36d: 48 89 42 08 mov %rax,0x8(%rdx)
ffffffff8112d371: 48 89 10 mov %rdx,(%rax)
ffffffff8112d374: 4c 89 3b mov %r15,(%rbx)
ffffffff8112d377: 4c 89 73 08 mov %r14,0x8(%rbx)
ffffffff8112d37b: 48 8b 45 00 mov 0x0(%rbp),%rax
ffffffff8112d37f: f6 40 6c 01 testb $0x1,0x6c(%rax)
The crash is on the last line. That is
if (!(css->flags & CSS_NO_REF))
from css_put. I.e. css is garbage (0x0000000fffffffe0). This is called from
put_css_set_locked as:
for_each_subsys(ss, ssid) {
list_del(&cset->e_cset_node[ssid]);
css_put(cset->subsys[ssid]);
}
According to rdi (holds cset->subsys) and rbp (iterator which is cset->subsys +
ssid), ssid is 1. If I understand correctly, 1 stands for cpu_cgrp_id, so
cset->subsys[cpu_cgrp_id] is the garbage.